locked
ForeFront Logging onto my Database Server? RRS feed

  • Question

  • Every night at 2:05 am, the ID we use for ForeFront logs onto a SQL database server for under 10 seconds and logs back off. Security event ID 540 (logon) and 538 (logoff) are all we see and ForeFront is NOT installed on that server.

    So why is it reaching out to it then? I've checked all the other logs at the same times and don't see anything from that forefront ID. Anyone seen Forefront log onto unmanaged servers in the middle of the night before?

    Wednesday, July 21, 2010 7:09 PM

Answers

  • If you wanted to see the managed computers that show up in the console, you could go into the MOM 2005 Administrator Console. Dig into there and it will list all the computers whether they are agent managed or not. You can also go into the SQL Reporting services Reports page by going to http://reportingserver/reports and dive into the Forefront Client Security reports. Once in there, pull up the Connectivity Summary report, this will let you know what machines have been reporting in and when the timeframe is that they have reported back.

    The action account is used to run server side scripts and security state assessment. I would guess depending on your deployment what else that service account does whether it does anything with SQL as well.

    Hope this helps, please post back if you need more help.

    Friday, July 23, 2010 1:43 AM

All replies

  • It seems like “DTS job”  running cause that, DTS package copy the reporting data from the OnePoint database to the MOM Reporting Server database- but that is only guess.

     

    Arick

    Thursday, July 22, 2010 9:02 AM
  • I don't think it's DTS - we have different accounts for different functions. This is the "Forefront-Action" account" logging on, not the "Forefront-DTS" account. Is there a way to go into Forefront and see what accounts are assigned to do what? (The Forefront admin console seems pretty useless to me - I can't even see what machines are being managed... or can I?)

    I'm an SCCM admin and the Forefront guy is on vacation. Forefront is kinda similar to what I do but I'm not very familiar with it. From what I can tell, that SQL server has no MOM client installed on it (from the MOM Admin Console on the Forefront server) and it doesn't have Forefront installed on it (no Program Files\Microsoft Forefront folder on it).

    So I'm thinking maybe the Forefront server does a network sweep? Logging on to get machine info? I don't see the same pattern on my SCCM server (where I DO have Forefront installed)...

    Thursday, July 22, 2010 6:05 PM
  • If you wanted to see the managed computers that show up in the console, you could go into the MOM 2005 Administrator Console. Dig into there and it will list all the computers whether they are agent managed or not. You can also go into the SQL Reporting services Reports page by going to http://reportingserver/reports and dive into the Forefront Client Security reports. Once in there, pull up the Connectivity Summary report, this will let you know what machines have been reporting in and when the timeframe is that they have reported back.

    The action account is used to run server side scripts and security state assessment. I would guess depending on your deployment what else that service account does whether it does anything with SQL as well.

    Hope this helps, please post back if you need more help.

    Friday, July 23, 2010 1:43 AM